FDA highlights security flaw in Hospira pumps

The US Food and Drug Administration (FDA) has advised hospitals not to use Hospira’s Symbiq infusion system, saying a security vulnerability could allow cyber attackers to take remote control of the system

The FDA issued the advisory after the US Department of Homeland Security (DHS) warned of the vulnerability in the pump, which is used to deliver medications directly into the bloodstream of patients.

The FDA and DHS cited research from independent cyber security expert Billy Rios, who found that remote attacks could be launched on patients by accessing a hospital's network.

Both the FDA and DHS said they know of no cases where such an attack has been launched.

However, the FDA said in its advisory that it strongly encouraged healthcare facilities to stop using the Symbiq infusion pump system and move to other devices.

In a warning the FDA said: "This could allow an unauthorised user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies."

It is the first time the FDA has advised healthcare providers to discontinue use of a medical device because of a cyber-security vulnerability.

Hospira is working with Symbiq customers to deploy a software update that closes access ports to the pump and includes other cyber-security protections.

In a statement Hospira said: "This option provides our Symbiq customers with another layer of security for the devices while they remain in the market for another few months."

It said that it was also working with customers of its LifeCare PCA and Plum A+ infusion devices with advice on how to mitigate cyber-security vulnerabilities.